Method, system, and computer program product for assessing information security

ABSTRACT

Methods and systems to assess information security based on based on a combination of user-responses to computer-selected queries and results of a testing/diagnostic application. Users may be interviewed based on areas of expertise. Information security assessment may be performed with respect to domains of an enterprise, the results of which may be rolled-up to assess information security across the enterprise. A system may include application-specific questions and vulnerabilities, industry specific questions and vulnerabilities, a repository of expert knowledge, and/or working aids. A system may include an inference engine, which may include a logic-based inference engine, a knowledge-based inference engine, and/or an artificial intelligence inference engine. A system may include an application-specific tool to configure the system to assess security of information handled by a third party application program.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. Utility patent applicationSer. No. 11/144,946, filed Jun. 6, 2005, which is a divisionalapplication of U.S. Utility application Ser. No. 09/558,387, filed Apr.26, 2000 (U.S. Pat. No. 6,925,443), all of which are incorporated hereinby reference in their entireties.

BACKGROUND

1. Field of the Invention

The present invention relates to information security assessments and,more particularly, to information security assessments based on one ormore of information technology infrastructure characteristics,components, configuration, connectivity, and/or architecture,information handling policies, procedures, training, and/or awareness,enterprise type, and/or user area of expertise.

2. Related Art

Corporate and government enterprises rely on a variety of types ofinformation, such as customer information, vendor information, personnelinformation, and regulatory filing/compliance information. If any ofthis information is compromised, whether by accident or maliciousintent, then the business of the enterprise suffers. Assessing andimproving information security is thus a goal of an enterprise.

Information security has both technology based elements andnon-technology based elements. Deficiencies in either may compromiseinformation security.

Technology based elements of information security typically includeinformation technology (“IT”) infrastructure characteristics, components(hardware and software), configuration of the components (e.g., versionand patch history of an operating system, routers, and firewalls),connectivity of the components, and architecture. Information securitycan be compromised by weaknesses and/or vulnerabilities in ITcomponents, configuration of the IT components, connectivity of the ITcomponents, architecture of the entire IT infrastructure or portionsthereof. These are referred to as technology based vulnerabilities andrisks.

For example, many technology components, hardware and software, haveknown inherent vulnerabilities and/or risks. Vulnerabilities and/orrisks may vary by manufacturer, version, installed patches, etc.Similarly, the way in which IT components are configured may createvulnerabilities and/or risks to the information handled by the ITinfrastructure. For example, hardware switch settings or softwaresettings may be associated with known vulnerabilities and/or risks tothe information handled by the IT infrastructure. Similarly, the way inwhich IT components are interconnected may create vulnerabilities and/orrisks to the information handled by the IT infrastructure.

Non-technology based information security elements can includeinformation handling policies, procedures, training, and/or awareness.Information security handling policy generally refers to guidelines,instructions, rules, and/or regulations for handling information.Information security procedure generally refers to specific step-by-stepinstructions for implementing security handling policies. Informationsecurity policies and procedures tend to vary by enterprise type and bythe type of information being handled.

Depending upon the context, information security policies may also referto policies implemented within an IT infrastructure, such as firewallpolicies, for example. Vulnerability and risks associated with thiscategory of information security, however, generally falls under therubric of technology based vulnerabilities and risks, rather thannon-technology based vulnerabilities and risks.

A fundamental goal of an information security policy is to communicateto everyone in an enterprise that information is a valuable asset to theenterprise and that everyone is responsible and accountable forprotecting the information. A security policy is a visiblerepresentation of security considerations, requirements, priorities,assumptions, and responsibilities.

A security policy provides many benefits to an enterprise, including,without limitation:

demonstrates management commitment to protecting enterprise information;

provides cost benefit analyses of security measures to mange risk andprotect enterprise assets;

supports an enterprise's mission and goals and acts as an enabler forthe enterprise;

identifies what information must be protected;

establishes who is responsible for protecting information;

provides unambiguous expectations for employee conduct andresponsibility;

provides consequences of misuse;

minimizes negative exposure to the enterprise by limiting liability,negative press, etc;

guides product selection;

ensures proper implementation of IT.

Security policies are developed by identifying information to bemanaged, determining the value of the information, determining the waythe information is used, identifying who creates and uses theinformation, assessing risks to the information, and derivingrequirements for protecting the information.

Information security can be compromised by deficiencies in ITinfrastructure characteristics, components, configuration, connectivity,and/or architecture, and/or by deficiencies in information handlingpolicies, procedures, training, and/or awareness.

In order to protect information, an information security assessmentshould be performed to identify any deficiencies in systems and/orprocesses. A proper information security assessment results incorrective measures and policy fixes that are appropriate for the typesof information used by the enterprise, the way(s) in which theinformation is used, and the nature of the threats facing theinformation, and vulnerabilities associated with the systems andprocesses.

What is needed, therefore, is a system and method for assessinginformation security that takes into account technology basedvulnerabilities and risks and non-technology based vulnerability andrisks.

Information security vulnerabilities and risks vary by enterprise type.This is due, in part, to types of information handled by different typesof enterprises, different types of threats faced by different types ofenterprises, and/or different IT infrastructures. Thus, governmententerprises, for example, may have different vulnerabilities and risksthan commercial enterprises.

What is needed, therefore, is a system and method for assessinginformation security that takes into account an enterprise type,including consideration of any industry specific vulnerabilities andrisks.

Within an enterprise, information needed to properly assess informationsecurity may not rest with a single individual or even within a singlegroup of individuals. For example, IT information may be spread amongmultiple individuals or groups of individuals. The individuals or groupsof individuals may be geographically diverse. For example, wide areanetwork (WAN) knowledge might be with a WAN administrator, local areanetwork (LAN) information might be with a LAN administrator. Other typesof IT information might rest with one or more server administrators, ITsupervisors, a CIO, etc.

Similarly, policies and procedures may vary within an enterprisedepending upon the type of information being handled. For example,financial information, intellectual property information, human resourceinformation, employee information, merger and acquisition information,regulatory information, and other types of information, may each havetheir own policy and procedure. Different individuals and/or groups ofindividuals may not be necessarily be aware of, or need to be aware of,policies and procedures outside of their respective areas of expertise.

What is needed, therefore, is a system and method for assessinginformation security that considers users' areas of expertise. Such amethod and system should interview a plurality of users, based on eachuser's area(s) of expertise, to help insure that questions are answeredaccurately by qualified users, and to obtain an overall picture ofinformation security within an enterprise.

An enterprise may define itself in terms of departments, subsidiaries,or other terms (generally, “domains”). Domains may be legally distinctdomains or enterprise defined domains. domains may or may not begeographically based. Different domains within an enterprise may havesimilar and/or distinct information security issues to be addressed. Forexample, two or more domains within an enterprise may have substantiallysimilar information security concerns, including technology basedconcerns and non-technology based concerns. On the other hand, two ormore domains within an enterprise may have distinctly differentinformation security concerns, including technology based concerns andnon-technology based concerns.

What is needed, therefore, is a system and method for assessinginformation security that takes into account domains within anenterprise. Such a method and system should include a process forrolling-up information security information from various domains toperform an enterprise wide information security assessment.

SUMMARY OF THE INVENTION

The present invention is directed to a method, system and computerprogram product for assessing information security in an enterprise.Users are interviewed with questions designed to elicit deficiencies ininformation security, based on known weaknesses and/or vulnerabilities.In an embodiment, users are interviewed regarding information technology(“IT”) infrastructure characteristics, components, configuration,connectivity, and/or architecture, and information handling policies,procedures, training, and/or awareness.

In an embodiment, users are interviewed based on areas of expertise,such as IT infrastructure areas of expertise.

In an embodiment, information security assessments are performed ondomains within an enterprise, the results of which are roll-up toperform an information security assessment across the enterprise.

In an embodiment, the invention includes application specific questionsand vulnerabilities, which permits a detailed assessment directed toknown vulnerabilities associated with the application.

In an embodiment, the invention includes an application specifictailoring tool that allows a user to tailor the system to assesssecurity of information handled by a third party application program.

In an embodiment, the invention includes industry specific questions andvulnerabilities. This permits a detailed assessment directed to knownvulnerability and other issues associated with the various types ofenterprise (e.g., government or commercial).

In an embodiment, the invention permits users to query a repository ofexpert knowledge.

In an embodiment, the invention provides users with working aids.

In an embodiment, the invention permits users to execute third partytesting/diagnostic applications. The invention optionally combinesresults of the executed third party testing/diagnostic application(s)with user responses to interview questions. When the results arecombined, security assessment is preferably based on both user responsesand results of the executed third party testing/diagnosticapplication(s).

A system in accordance with the invention includes an inference engine,which may include a logic based inference engine, a knowledge basedinference engine, and/or an artificial intelligence inference engine.

Further features and advantages of the present invention, as well as thestructure and operation of various embodiments of the present invention,are described in detail below with reference to the accompanyingdrawings.

BRIEF DESCRIPTION OF THE FIGURES

The present invention will be described with reference to theaccompanying drawings, wherein like reference numbers indicate identicalor functionally similar elements. Also, the leftmost digit(s) of thereference numbers identify the drawings in which the associated elementsare first introduced.

FIG. 1 illustrates an block diagram of an example IT infrastructure ofan enterprise.

FIG. 2 illustrates an block diagram of various example types ofinformation of an enterprise.

FIG. 3 illustrates a high level process flow chart of a method forassessing information security, in accordance with the presentinvention.

FIG. 4 illustrates a process flow chart of an example start-up process,in accordance with the present invention.

FIG. 5 illustrates a process flow chart of an example start-up process,in accordance with the present invention.

FIG. 6 illustrates a high level block diagram of a system for assessinginformation security, in accordance with the present invention.

FIG. 7 illustrates a process flow chart of an example initialization andinterviewing process, in accordance with the present invention.

FIG. 8 illustrates a process flow chart of an example initialization andinterviewing process, in accordance with the present invention.

FIG. 9 illustrates a process flow chart of an example initialization andinterviewing process, in accordance with the present invention.

FIG. 10 illustrates an example interviewing step for interviewing usersbased on areas of expertise, in accordance with the present invention.

FIG. 11 illustrates an example process flow chart for interviewing usersbased on areas of expertise, in accordance with the present invention.

FIG. 12A illustrates an example process flow chart for interviewingusers based on IT areas of expertise, in accordance with the presentinvention.

FIG. 12B illustrates an example process flow chart for interviewingusers based on IT areas of expertise, in accordance with the presentinvention.

FIG. 13 illustrates a block diagram of an example system for assessinginformation security, including an optional initialization module, inaccordance with the present invention.

FIG. 14 illustrates a block diagram of an example database, inaccordance with the present invention.

FIG. 15A illustrates an example data flow process for assessinginformation security, in accordance with the present invention.

FIG. 15B illustrates an example data flow process for assessinginformation security, in accordance with the present invention.

FIG. 16 illustrates a block diagram of an example system for assessinginformation security, including an optional roll-up module, inaccordance with the present invention.

FIG. 17 illustrates a block diagram of example details of the optionalroll-up module, in accordance with the present invention.

FIG. 18 illustrates a block diagram of example details of the optionalroll-up module, in accordance with the present invention.

FIG. 19 illustrates a block diagram of an example system for assessinginformation security, including an optional expert query module, inaccordance with the present invention.

FIG. 20 illustrates a block diagram of an example system for assessinginformation security, including an optional third partytesting/diagnostic module, in accordance with the present invention.

FIG. 21 illustrates a block diagram of an example third partyapplication database, including an optional roll-up module, inaccordance with the present invention.

FIG. 22 illustrates a block diagram of an example computer systemarchitecture on which the present invention can be implemented.

DETAILED DESCRIPTION I. INTRODUCTION

The present invention is directed to methods and systems for assessinginformation security.

In an embodiment, the present invention queries users with technologybased questions and non-technology based questions. Technology basedquestions can include, without limitation, questions related to ITinfrastructure components, configuration, and connectivity.Non-technology based questions can include, without limitation,questions related to information security handling policies, procedures,training, and/or awareness.

In an implementation of this embodiment, the present inventiondetermines enterprise vulnerabilities and risks based on an integratedassessment of user responses to technology based questions andnon-technology based questions. For example, one or more vulnerabilitiesand/or risks will depend upon user responses to both a technology basedquestion and a non-technology based question.

However, the present invention is not limited to this embodiment. Forexample, one or more vulnerabilities and/or risks may depend only uponuser responses to technology based questions. Similarly, one or morevulnerabilities and/or risks may depend only upon user responses tonon-technology based questions.

In an embodiment, the present invention assesses information securitybased on an enterprise type, considering industry specificvulnerabilities and risks for the enterprise type.

In an embodiment, the present invention interviews users based on theirareas of expertise. In this embodiment, the invention interviews usersfrom multiple areas of expertise in order to obtain an overallinformation security assessment for the enterprise.

In an embodiment, the present invention assesses information securityfor domains within an enterprise. In an implementation of thisembodiment, the invention includes a roll-up feature that assessesenterprise wide information security based on responses from users inthe individual domains. In this mode, administrators across theenterprise will use the invention in each of the enterprise'sconstituent components. The results are then aggregated to identifysecurity issues across the enterprise. This roll-up embodiment is usefulas a building block of a larger assessment or policy development effort.In this embodiment, the invention can be implemented to develop anoverall information security posture of an entire enterprise.

In an embodiment, the invention executes third partytest/diagnostic/verification applications, such as CyberCop Scanner™,from Network Associates, McAfee or Symantec Antivirus, and ISSRealSecure™.

In an embodiment, the invention is implemented to assess security ofinformation handled by a third party application, such as SAP and/orOracle™, for example. In this embodiment, the invention includesapplication specific information, such as questions, vulnerabilities,instructions and/or code. Application specific information can be storedin one or more databases and/or other repositories of an informationsecurity tool kit.

In an embodiment, the invention includes a tool that allows users togenerate and/or modify application specific information for thedatabases and other information repositories of an information securitytool kit.

In an embodiment, the invention provides working aids, including,without limitation, working aids to assist users during interviewing,working aids to assist in understanding reports, and working aids toassist users in developing solutions, such as hot link working aids.

In an embodiment, the invention allows users to query a repository ofinformation related to information security, IT infrastructure, or anyother type of information embodied within a repository.

In an embodiment, the present invention is implemented with two or moreof the above features. For example, in an embodiment, the presentinvention interviews a set-up administrator to determine an enterprisetype, to associate individuals with areas of expertise, to determinewhether any third party applications are involved, and/or to definedomains within the enterprise. Based on responses from the set-upadministrator, questions are selected from one or more pools ofquestions to interview users. Working aids are provided to the user, theuser can query a repository of information, and the user can executethird party testing/diagnostic applications. Information security isassess based on user responses, results of any third partytesting/diagnostic applications, and replies to any queries from theuser.

In an embodiment, the present invention is implemented in a computerprogram.

The present invention can be implemented for use by administrators(“users”) with little or no specialized information security expertise.

The invention includes a core set of tools that allow systemadministrators to conduct risk assessments of a network and applicationsrunning on the network, to test for compliance with security policies,and to write policies where required. The core set of tools interviewone or more users. The core set of tools evaluates users responses andprovides feedback. Optional tools allow a user to “query an expert” togain insights and assistance in performing systems and securityadministration functions.

In an embodiment, the invention is implemented for a systemadministrator at a local areas network level. Database administrators,web administrators, or application administrators, such as thoseresponsible for SAP™ for Oracle™, can also utilized the invention withintheir functional domains.

The invention can be implemented with various levels of complexity. Forexample, the invention can be implemented for conducting limited riskassessments and determining compliance with information securitypolicies and procedures. In this embodiment, the invention identifiescritical deficiencies and presents recommendations for correcting them.

In more complex implementations, the invention includes a knowledge baseof information security expertise and a more sophisticated querycapability. This permits system administrators to utilize theinformation security expertise what will otherwise be available only beemploying expensive consultants. The knowledge base will be updatedperiodically to reflect newly identified vulnerabilities and informationsecurity practices. Other embodiments of the invention include plug-inmodules for product specific network assessments and a variety ofcommercial tools that conduct active network scans and/or passivenetwork monitoring.

Definitions of various terms and phrases used herein are now provided.Detailed descriptions of the present invention follow the definitions.

A. Definitions

For this specification, the following terms shall have the indicatedmeaning(s).

Enterprise shall mean any type of entity that utilizes information,including, without limitation, government enterprises, non-governmententerprises, commercial enterprises, non-commercial enterprises,for-profit enterprises, and non-profit enterprises. Generally, when asingle information security assessment is performed, the scope of theinformation security assessment defines the enterprise. Multipleassessments are discussed below with respect to domains.

Domain shall mean a group within an enterprise. When a plurality ofsecurity assessments are performed and the results are rolled up into anoverall information security assessment, the scope of the overallassessment defines the enterprise, and the scope of each of theindividual assessments defines a domain within the enterprise. Domainscan include, without limitation, geographic domains, function domains,content domains, and administrative domains. Domains can overlap oneanother. For example, individuals and/or IT components can fall withinmore than one domain.

“Information” shall mean any information of an enterprise, technicaland/or non-technical, including, without limitation:

IT infrastructure information;

human resources information;

intellectual property information;

enterprise security information;

financial information;

accounting information;

customer information;

vendor information;

legal information;

employee information;

regulatory information;

compliance information; and

mergers and acquisition information.

“Information security” shall refer to security of any and/or allinformation of an enterprise, including that which is created, stored,moved within, and/or transmitted through IT assets of an enterprise(e.g., “electronic information”), and that which is not stored, movedwithin, and/or transmitted through IT assets of an enterprise.

“IT infrastructure” shall mean any and/or all hardware and/or softwarecomponents related to storage, processing, and/or transferring ofelectronic information.

Vulnerability shall mean a weakness that could be exploited,intentionally or unintentionally. Weakness can include, withoutlimitation, weaknesses in policies and/or procedures, bugs in operatingsystem software, bugs in application software, and configurationmistakes. Vulnerability includes, without limitation, “threats” asdescribed in various literature and/or U.S. Government regulations.

Threat, unless otherwise defined herein, shall mean any and all types ofthreats, and shall not be limited by any specific definition that may beused in the relevant art(s).

Risk, unless otherwise defined herein, shall mean any and all types ofrisks, and shall not be limited by any specific definition that may beused in the relevant art(s).

Deficiency shall mean technical and/or non-technical elements thatreduce information security such as, for example, handling, set-up, andconnectivity).

B. Example Environment

Information security within an enterprise has technical andnon-technical aspects. Technical aspects include information technologyinfrastructure (i.e., technical characteristics, components,connectivity, and architecture). Non-technical aspects includeinformation handling policies, procedures, training and awareness.Information security can be compromised by deficiencies in eitheraspect. For example, information security can be compromised bydeficiencies in IT infrastructure and/or by an individual's lack ofproper information handling training and/or awareness.

FIG. 1 illustrates an example enterprise 100 having an IT infrastructure102. In the illustrated example, the IT infrastructure includes a webserver 104, a print server 106, an e-mail server 108, a database 110, aplurality of terminals 112, an internal firewall 114, and an externalinternet firewall 116. IT infrastructure 102 is provided an example ITinfrastructure. One skilled in the relevant art(s) will understand thatan IT infrastructure does not require all of the illustrated components,and can include a variety of other components and configurations,including, without limitation, wide area networks (WANs), and local areanetworks (LANs).

Information security within enterprise 100 depends, in part, on thecomponents that make up the IT infrastructure 102, their configuration,their connectivity with one another, and the overall architecture.

Information security within enterprise 100 also depends on informationsecurity handling policies, procedure, training and awareness.Typically, an enterprise will maintain some information within its ITinfrastructure, some information outside of its IT infrastructure, andsome information both within and outside of its IT infrastructure.Information maintained outside of an IT infrastructure may be maintainedmentally by employees, and/or in a tangible media, such as in paperfiles, for example. Information security policies and procedures shouldtake into account all types of information handled by an enterprise.

FIG. 2 illustrates example types of information that are typicallyutilized by an enterprise, such as enterprise 100. In this example,enterprise 100 includes a number of types of information containedpartially or wholly within IT infrastructure 102, including:

human resources information 204;

intellectual property information 206;

financial information 208;

mergers and acquisition information 210

accounting information 212;

customer information 214;

vendor information 216;

legal information 218;

employee information 220; and

regulatory information 222.

Information types 204-222 are for illustrative purposes only. Othertypes of information may also be used. Although information types204-222 are illustrated as separate information types, two or more ofinformation types 204-222 may overlap.

In the example of FIG. 2, the enterprise 100 also includes informationoutside of the IT infrastructure 202, illustrated as other information224.

The security of information types 204-222 depend upon thecharacteristics of the IT infrastructure 102 and upon the policies andprocedures for handling the information types 204-222. The policies andprocedures for handling the information types 204-222 can include,without limitation, policies and procedures for human handling andpolicies and procedures implemented within IT infrastructure 102.

The security of other information 224 depends upon policies andprocedures for human handling, but does not depend on IT infrastructureinformation security.

The present invention is a method and system for assessing informationsecurity of an enterprise, such as enterprise 100. Based on theteachings herein, one skilled in the relevant art(s) will understand howto implement the present invention for other types of enterprises aswell.

In an embodiment, the invention assesses information security based uponIT infrastructure characteristics and information handling policies,procedure, knowledge, training, and awareness.

In an embodiment, the invention assesses information security based uponan enterprise type, considering industry specific vulnerabilities andrisks.

In an embodiment, the present invention interviews users based upon theusers' area(s) of expertise.

In an embodiment, the present invention is implemented for variousdomains within an enterprise. A roll-up feature assesses enterprise wideinformation security based on information security assessments for thedomains.

In an embodiment, the invention interviews one or more set-upadministrators prior interviewing users to determine the type and/orstructure of an enterprise and to selects questions appropriate for theenterprise.

The invention optionally includes one or more of a number of optionalfeatures described below.

II. METHODS FOR ASSESSING ENTERPRISE INFORMATION SECURITY

The present invention is now described in terms of a process. Examplemethods for implementing the process are provided for illustrativepurposes only. Based on the teachings herein, one skilled in therelevant art(s) will understand that the present invention can beimplemented with other methods as well, which are within the scope ofthe present invention.

FIG. 3 illustrates a high level process flow chart 302 of the presentinvention. The process begins at step 302, interviewing user(s). Detailsand example implementations of interviewing users are provided below.

Processing proceeds to step 304, assessing information security based onuser(s) responses. Details and example implementations of assessinginformation security are provided below.

Processing then proceeds to step 306, reporting the information securityassessment. Details and example implementations of reporting informationsecurity assessments are provided below.

A variety of optional start-up processes and/or initialization processescan be implemented as part of step 302. Example optional start-upprocesses and/or initialization processes are now presented.

A. Process Start-Up

In an embodiment, upon execution of the process, a user is prompted toprovide identification information (e.g., user ID and password).

Upon successful login, the user is provided with one or more options,including, without limitation, starting a new assessment, initializingan assessment (described above), continuing with a previously startedassessment, query an expert (described below), and/or executing thirdparty testing/diagnostic applications.

In an embodiment, one or more user options are available to the userthroughout the assessment process. For example, where the process isperformed under control of a multi-tasking operating system, a user maybe permitted to query an expert during an assessment interview, and/orexecuting third party testing/diagnostic applications.

In FIG. 4, steps 402 and 404 illustrates example process start-upprocedures

FIG. 5 shows additional options that can be presented to the user.

B. Initialization

In an embodiment, step 302 includes an optional initialization processthat allows a set-up administrator to configure the process forenterprise particulars. For example, the optional initializationprocedure can include querying a set-up administrator to tailorquestions according to an enterprise type (described below), to tailorquestions according to user areas of expertise (described below), totailor questions for domains and roll-up (described below), and/orcombinations thereof. These options are illustrated at a high level insteps 406-412 of FIG. 4, and are described below.

C. Interviewing Users

Referring back to FIG. 3, in an embodiment of step 302 a single user isinterviewed. This may be the case for small enterprises where a singleperson has the necessary knowledge to answer questions posed during theinterviewing process. This may also be the case where a limitedassessment is being conducted.

In an alternative embodiment of step 302, multiple users areinterviewed. This may be the case where multiple users have informationthat would be useful to an information security assessment. In amultiple user embodiment, user interviews can be tailored according tousers' areas of expertise. This is described below.

In an embodiment of step 302, users are interviewed with questionspresented on a display under control of a computer. In this embodiment,users answer questions by entering them into the computer. In anembodiment, users provide answers by typing them on keyboard or otherinput device. In another embodiment, users may select an answer from alist of acceptable answers.

In an alternative embodiment, users are interviewed with computercontrolled audible questions. In this embodiment, users may provideanswers as described above or verbally.

In another alternative embodiment, users are interviewed verbally by ahuman.

In an embodiment, the process includes a plurality of question poolsfrom which questions can be selected. In an embodiment, the processaccommodates the addition of new question pools as they becomeavailable.

1. Interviewing Users with Technology and Non-Technology Questions

In an embodiment of step 302, interviewing questions are directed totechnical issues, such as, without limitation, IT infrastructurecharacteristics, components, configuration, connectivity, and/orarchitecture.

In an embodiment of step 302, interviewing questions are directed tonon-technical issues, such as, without limitation, information handlingpolicies, procedures, training, and/or awareness, enterprise type,and/or user area of expertise.

In an embodiment of step 302, interviewing questions are directed toboth technical issues and non-technical issues.

Two examples of technical and non-technical interviewing questions areprovided at the end of this specification. Some of the example questionsare presented with example working aids that provide explanations and/ordefinitions to assist a user in answering questions. These examples areprovided for illustrative purposes only. Other questions can be posed touses to identify deficiencies, vulnerabilities and risks.

2. Interviewing Users Based on Type of Enterprise

Information security issues can vary according to the type ofenterprise. For example, and without limitation, issues can include thetype(s) of information handled by the enterprise, the importance of theinformation, the nature and extent of information security policiesassociated with the information, the types of IT infrastructure utilizedby the enterprise, the layout or organization of the enterprise, and thenature of potential threats to the enterprise and its information.

Government enterprises, for example, typically have information securityconcerns different from and/or in addition to concerns of non-governmententerprises. Information security concerns can vary among differenttypes of government enterprises. As a result, different governmententerprises may be subject to different compliance criteria. Certaingovernment enterprises may have special security concerns because oftheir location or the nature of the work. For these reasons, the U.S.Government promulgates compliance criteria for different types ofgovernment enterprises. For example, current U.S. Government compliancecriteria include, without limitation, Department of Defense InformationTechnology Security Certification Accreditation and Process (“DITSCAP”)and National Security Agency Information Security Assessment Methodology(“NSA IAM”).

Thus, in an embodiment of the invention, the process interviews usersbased on an enterprise type. In an implementation, the process selectsquestions from one or more pools of questions, depending upon anenterprise type. The one or more pools of questions include questionsdirected to industry specific vulnerabilities and/or risks.

FIG. 7 illustrates an example process flow chart 700 for implementingstep 302. The process begins at step 702, determine an enterprise type.In an embodiment, step 702 is performed by interviewing one or moreusers, which may be one of the users interviewed in step 706 or may be adifferent user, such as a set-up administrator. In an alternativeembodiment, step 702 is performed without user input, for example, byinterfacing with the IT infrastructure and accessing information thatidentifies the enterprise type.

Processing then proceeds to step 704, select enterprise relevantquestions. Enterprise relevant questions can be selected in any of avariety of ways. In an embodiment, questions are stored in a databasewith an indication as to the type of enterprise to which they pertain.In some cases, a question will pertain to more than one type ofenterprise. In an alternative embodiment, separate databases ofquestions are maintained for different types of enterprises.

Processing then proceeds to step 706, interview user(s) with theselected enterprise relevant questions.

FIG. 8 illustrates another example process flow chart 800 forimplementing step 302. The process begins at step 802, determine whetherthe enterprise is a government enterprise or a non-governmententerprise. Step 802 can be performed by interviewing a user orautomatically, as described for step 702.

From step 802, if the enterprise is a non-government enterprise,processing proceeds to step 804, select non-government relevantquestions, followed by step 806, interview user(s) with the selectednon-government relevant questions. If the enterprise is a governmententerprise, processing proceeds from step 802 to step 808, selectgovernment relevant questions, followed by step 810, interview user(s)with the selected government relevant questions.

FIG. 9 illustrates another example process flow chart 900 forimplementing step 302. The process is similar to the process 800, withthe additional of step 908, select compliance criteria, followed by step910, select questions relevant to the selected compliance criteria.

The examples herein are provided for illustrated purposes only. Theinvention is not limited to the examples herein. Based on the teachingsherein, one skilled in the relevant art(s) will understand that thepresent invention can be implemented to interview users with enterprisespecific questions for other types enterprises and/or compliancecriteria as well.

3. Interviewing Users Based on Areas of Expertise

In an embodiment, users are interviewed according to their respectiveareas of expertise, as illustrated in FIG. 10, for example, where step302 is illustrated as step 1002, interviewing users based on users'areas of expertise. This permits the process to conduct more in-depthinterviews of users than might otherwise be possible. This also help theprocess to avoid asking questions of a user for which the user is notqualified to answer, and thus helps to insure accuracy of informationobtained by the process. Step 1002 is illustrated in slightly moredetail in FIG. 11 as steps 1102-1104.

In an embodiment, questions are simply presented in groupings associatedwith areas of expertise, with no attempt to associate groupings withparticular users. In an alternative embodiment, a set-up administratoris permitted to assign specific users and/or groups of users to one ormore groups of questions.

FIG. 12A illustrates step 1002 as step 1202, interviewing users based onIT areas of expertise. In an embodiment, the users are administrators orsupervisors of various IT areas of expertise.

FIG. 12B illustrates step 1202 for the example IT infrastructure 102illustrated in FIG. 1. In step 1204, a user is interviewed regarding webserver 104. In step 1206, a user is interviewed regarding printer server106. In step 1208, a user is interviewed regarding email server 108. Instep 1210, a user is interviewed regarding database 110. In step 1212, auser is interviewed regarding terminals 112. In step 1214, a user isinterviewed regarding fire wall 114. In step 1216, a user is interviewedregarding internet fire wall 116. Additionally, a user can beinterviewed regarding wide area networks (WANs), local area networks(LANs), overall policy and architecture.

In the example of FIG. 12B, one or more of the groups of questions canbe presented to the same user or group of users. Similarly, one or moregroups of questions can be presented to different users or groups ofusers.

In an embodiment, the interviews include both IT infrastructurequestions and policy questions.

Users may also be interviewed based on other information areas ofexpertise, such as the areas of information illustrated in FIG. 2.

The example areas of expertise described herein are provided asillustration only. The present invention can be used to interview usersbased on other areas of expertise as well.

In an embodiment, a user's area of expertise is determined in advanceduring an optional initialization process, described above. Optionally,a user verification process—i.e., user identification and/or password—isutilized to insure that only predetermined users are interviewed.

Alternatively, or in combination with the above, questions are posed toa user at the time of interviewing to determine and/or verify the user'sexpertise.

4. Interviewing Users Based on Enterprise Type and Area of Expertise

In an embodiment, the process interviews multiple users based on thetype of enterprise and the users' areas of expertise.

5. Working Aids

In an embodiment, working aids are provided to users. Working aids canbe provided in a number of contexts and for a number of purposes.Working aids can include, without limitation, advice on informationsecurity considerations of installing or configuring components,explanations of why certain policy issues are important and possibleconsequences of not addressing them, definitions, and general referencematerial, including hot links.

Working aids are provided during the interviewing process of step 302 toassist in answering questions, for example. Working aids can also beprovided with reports in step 306 to assist readers in understanding thereports. Working aids can also include working aids to assist users indeveloping solutions. For example, by suggesting one or more possiblesolutions and providing additional information to assist the user indeciding which solution is appropriate for the enterprise.

Working aids are provided in any of a variety of formats. In anembodiment, when a user is interviewed via a display terminal,availability of a working aid is indicated to the user with a specialfont, highlighting, or any other suitable display formatting technique.In this embodiment, the user can “click” or otherwise indicate that theavailable working aid is desired. The process will then provide theworking aid.

Alternatively, working aids are presented automatically wheneverappropriate.

6. Dynamic Interviewing—Question Dependencies

In an embodiment, the interviewing process is dynamic in that questionsposed to a user can depend upon one or more prior answers from the userand/or from another user. This allows the process to ask additionalinformation in areas where it might lead to a more thorough informationsecurity assessment. For example, if a user has additional informationthat could be useful, it would be prudent for the process to continueinterviewing the user until the user's knowledge is exhausted.

Question dependencies can be utilized for example, when an answer to aquestion, or to a group of questions indicates a vulnerability or apotential vulnerability. Further questions and user responses mayclarify the potential vulnerability or eliminate the concern.

Question dependencies also allow the process to cut short a line ofquestions that may not be relevant to the situation or to the user. Forexample, if a user indicates that he/she has no knowledge of aparticular line of questioning, it would be pointless to ask additionaldetails.

Question dependencies can be implemented, for example, as a nested loopof questions, whereby, when the nested loop of questioning ends,interviewing continues from where the nested loop began.

Question dependencies can also be implemented as a jump to another lineof questioning, where interviewing may or may not return to the priorline of questioning.

D. Assessing User Responses

Referring back to FIG. 3, after step 302, the process proceeds to step304, assessing information security based on users responses. Step 304preferably analyzes user responses to questions in conjunction withknown vulnerabilities and/or other considerations associated with ITinfrastructure characteristics, components, connectivity, and/orarchitecture, and/or policy and/or procedures. Such vulnerabilitiesand/or other considerations can be obtained from a variety of sourcesincluding, without limitation, prior experience, product bulletins,research, reverse engineering, and web postings. Generally, as moresources are consulted, more vulnerabilities and/or other considerationsare identified.

Questions posed to users during step 302 are designed to elicitinformation from users necessary to determine which, if any, of thevulnerabilities and/or other considerations apply to an enterprise. Thequestions posed to users are preferably developed by persons havingknowledge of the vulnerabilities and/or other issues.

Step 304 outputs deficiency statements based on the analysis of userresponses, vulnerabilities and/or other considerations. Deficiencystatements can be directed to technical and/or non-technical issues.Deficiency statements can include, without limitation, lists ofidentified vulnerabilities, deficiencies, critical deficiencies, andrisks. Example embodiments of this process are described below.Deficiency statements can also include suggested corrective actions.Other example types of deficiency statements are found throughout thisspecification.

1. Logic Based Assessment

In an embodiment, step 304 is performed by outputting informationsecurity deficiency statements that are associated with answers to oneor more questions. This embodiment is referred to as logic basedassessment.

For example, in some situations, the answer to a single question mayindicate a deficiency (e.g., a vulnerability or risk, a lack of arelevant information security policies, lack of knowledge of a relevantinformation security policies, failure to follow an establishedinformation security policies, etc.). In other cases, however, adeficiency may depend upon answers to a series or group of related orunrelated questions. In other situations, a deficiency may be indicatedby similar or conflicting answers to the same question or group ofquestions by multiple users.

Example systems for implementing logic based assessments are describedbelow.

Information security deficiency statements can take many forms and canbe directed to technology based deficiencies (e.g., deficiencies in ITinfrastructure characteristics, components, configuration, connectivity,and/or architecture) and/or to non-technology based deficiencies (e.g.,policies, procedure, training and/or awareness).

In an embodiment, step 304 includes prioritizing deficiencies.

In an embodiment, step 304 includes identifying critical deficiencies.

In an embodiment, step 304 includes identifying deficiencies in a localcomputing environment that require immediate attention, with or withoutrecommended actions.

In an embodiment, step 304 includes identifying deficiencies in a localcomputing environment that require further analysis.

In an embodiment, step 304 includes generating a policy statement.

In an embodiment, step 304 includes generating a new policy statement.In an embodiment, step 304 includes generating a revised policystatement.

In an embodiment, step 304 includes generating a combination of two ormore of the above example embodiments.

2. Expert Knowledge Based Assessments

In a embodiment, step 304 is performed with an expert (knowledge based)system in which knowledge from human subject-matter experts is encodedinto a software program in such a way that the coded logic of thesoftware program provides a searchable repository of this subject-matterknowledge. The expert system is encoded in such a way as to accept inputand make inferences based on the implications of that input that a humansubject-matter expert would normally be expected to make but which werenot specifically encoded in the expert system.

3. Artificial Intelligence Based Assessments

In an embodiment, step 304 is performed with artificial intelligence(AI), such that input data is subjected to analysis by AI, and theproblem solving methods and/or analysis and/or other tasks for which theAI is designed is modified by the AI itself as a result of the output ofprevious processing cycles.

4. Comparisons with Prior Assessments

In an embodiment, the present invention performs comparisons with priorinformation security assessments.

In an embodiment, comparisons with prior information securityassessments are performed using current reports and prior reports.

In another embodiment, comparisons with prior information securityassessments are performed using current analysis results and prioranalysis results.

In another embodiment, comparisons with prior information securityassessments are performed using current raw data and prior raw data.

In an embodiment, users can select among two or more of the aboveoptions when comparing information security assessments.

E. Reporting Information Security Assessment

In an embodiment, step 306 generates and stores one or morepre-formatted reports. Reports can include, without limitation, criticaldeficiencies requiring immediate attention, deficiencies requiringfurther analysis, and/or enterprise-wide critical deficiencies.

Report information can include, without limitation, one or more of thefollowing types of information:

scope of report (e.g., computing environment that was subject to theassessment, e.g, domain, organizational component);

date of assessment;

names of servers;

names of LANs;

version of process/software/took kit used for interviews/assessment;

version of tool kit modules and plug-ins used;

versions of third party software tools executed (active or passive);

user queries;

versions of question pools (including application specific questionpools);

versions of vulnerability and risk pools used;

version of policy module used.

The various modules referred to above are described below in thedescription of a system for assessing information security.

In an embodiment, information is inserted into one or more standardizedreports templates. Standardized report templates can include, withoutlimitation:

risk assessment of local computing environment;

deficiencies in local environment requiring immediate attention;

deficiencies in local environment that require further analysis;

deficiencies that must be escalated for enterprise-wide analysis andresolution;

information security policy for local computing environment;

measure of enterprise conformance to the information security policy;

measure of overall security posture of the enterprise;

measure of the effectiveness of enterprise-wide security training andawareness programs; and

list of most serious information security problems facing theenterprise.

In an embodiment, upon a user command, a pre-formatted report is output.Alternatively, a user can be permitted to generate a report to includeone or more user-selected report templates.

In an embodiment, a user determines where a report will be output (e.g.,to a display, a printer, or to an I/O device for forwarding to anotherdevice).

F. Multiple Domain and Roll-Up Features

In an embodiment, the present invention can be configured to assessinformation security for one or more domains within an enterprise, andto assess information security across the entire enterprise based on thesecurity assessments from the totality of individual domains.

In an embodiment, a separate instance of the process 300 is implementedfor each domain, and the results are analyzed to assess informationsecurity for the enterprise. See FIG. 18, for example.

In an embodiment, reports from individual domains are used to assessenterprise-wide information security.

In another embodiment, analysis results from individual domains are usedto assess enterprise-wide information security.

In another embodiment, raw data (i.e., user(s) responses from individualdomains) is used to assess enterprise-wide information security.

In an embodiment, users may select among two or more of the aboveoptions when assessing enterprise-wide information security.

G. Querying an Expert

The present invention optionally includes a “query an expert” featurethat allows users to query a repository of information related toinformation security, IT infrastructure, or any other type ofinformation embodied within a repository.

In an embodiment, upon start-up, the user is prompted to select betweenperforming an information security assessment and the optional query anexpert feature. Alternatively, the optional query an expert feature isavailable at any time to the user. This can be implemented, for example,when the process of interviewing a user and the optional initializationprocess are performed under a multi-tasking operating system.

The process is preferably designed to permit updating of the repositoryof information.

H. Execution of Third Party Testing/Diagnostic Programs

In an embodiment, the present invention permits a user to execute athird party testing and/or diagnostic program, such as, for example, aprogram that actively probes an IT infrastructure or component(s)thereof, or one that passively monitors network activity.

In an embodiment, the process analyzes results of the third partyprogram in conjunction with responses from users. For example, avulnerability may depend upon a user response and test results.Alternatively, the process analyzes results of the third party programindependent of responses from users. Alternatively, the presentinvention does not analyze results of third party testing/diagnosticprogram.

In an embodiment, test results are used to select one or more questionsfor interviewing users in step 302.

I. Assessments Directed to Third Party Application Programs

In an embodiment, the present invention interviews users with questionsdeveloped for one or more particular third party application programs.This is useful where a significant part of an enterprise's informationis maintained under or as a part of a particular third party applicationprogram. For this embodiment, questions are designed to address ITinfrastructure and/or policy issues associated with the third partyapplication(s).

In an embodiment, this optional feature is selected and/or initializedduring the optional initialization process.

In an embodiment, the invention is implemented to assess security ofinformation handled by a third party application, such as SAP and/orOracle™, for example. This can include provision of application specificinformation, such as questions, vulnerabilities, instructions and/orcode. Application specific information can be stored in one or moredatabases and/or other repositories of an information security toolkit.

In an embodiment, the invention includes an application specifictailoring tool that allows users to generate and/or modify applicationspecific information for the databases and/or other informationrepositories of an information security tool kit. In operation, the toolqueries one or more users having knowledge of a third party applicationand knowledge of problem-solving methodologies employed by theenterprise for conducting information security assessments andevaluations.

For example, the tool may present a graphical depiction of sequentialproblem-solving steps to the user(s) and prompt the user(s) to rearrangethe sequential problem-solving steps to correspond to the method thatthe enterprise uses to conduct information security assessments andevaluations.

In addition to capturing the method(s) by which the user conducts anassessment, the tool captures application-specific data. For example,and without limitation, the tool can capture one or more of thefollowing types of application specific data:

questions to ask about the particular application;

vulnerabilities associated with the particular application;

material added to the “query an expert” function that would permit thatfunction to be more appropriately used for the particular application;and

report templates for the particular application.

Information collected from the user is then stored and used to generateapplication specific information to implement the enterprise'smethodology in a computer system. The generated application specificinformation may include, without limitation, a software interface to theapplication-specific databases and other data repositories.

Systems and methods for collecting problem solving information arecommercially available. Based on the description herein, one skilled inthe relevant art(s) will understand how to implement this aspect of theinvention.

III. EXAMPLE SYSTEMS FOR ASSESSING INFORMATION SECURITY

The present invention can be implemented manually, and/or in software,hardware, firmware, manually, and/or combinations thereof. Systems forimplementing the present invention are now described with the assistanceof functional block diagrams. Based on the descriptions and functionalblock diagrams herein, one skilled in the relevant art(s) will be ableto implement the invention manually, and/or in software, hardware,firmware, and/or combinations thereof.

In an embodiment, the invention is implemented in software as aninteractive set of tools referred to generally herein as a security toolkit (“STK”), which operates from a CD-ROM or downloadable software on auser's desk top or lap top computer. The STK poses questions to a userabout technical characteristics of a local computing environment and theprocedures used to create, store, and transmit computerized informationwithin the user's computers and between the user's computes and othercomputers. From the responses of the user, the STK identifiesdeficiencies in the capability of the local computing environment toprotect information from unauthorized disclosure, and it will suggestcorrective actions that can be applied to correct these deficiencies.The STK evaluates existing information security policies and procedures,and it will guide the user through the process of developing informationsecurity policies for the local computing environment.

The invention can be implemented for government enterprises, commercialenterprises, and for both government enterprises and commercialenterprises.

A. Example Security Tool Kit

FIG. 6 illustrates a high level block diagram of an example securitytool kit (“STK”) 600.

FIG. 13 illustrates an example of STK 600 as STK 1300, including a userinterview module 1302, an inference engine 1304, a report generator1306, databases 1308, and an optional initialization module 1310.

FIG. 14 illustrate an example implementation of databases 1308,including interview questions 1402 and possible responses 1404.interview questions 1402 can include generic questions, genericquestions modified for product specific modules, and/or product specificquestions.

Databases 1308 also include vulnerabilities 1406, dependencies 1408, andrisks 1410. Vulnerabilities 1406 is a repository of information securityvulnerabilities. Dependencies 1408 is a repository of relationshipsamong questions and answers. In other words, dependencies 1408 caninclude a function that map answers to results. Risks 1410 is arepository of information security risks, which can include genericrisks and/or industry specific risks.

Databases 1308 also include optional working aids 1412, policycomponents 1414, and recommendation 1422. Policy components 1414preferably include information security policies with numbered sections.Recommendations 1422 preferably include policy sections specific toidentified deficiencies.

Databases 1308 also includes store responses 1416, store analyzedresults 1418, and store reports 1420. Store responses 1416 include useranswers. Store analyzed results 1418 can include the results of theinference engine 1304 and/or possible answers to questions associatedwith the questions. Store reports 1420 are generated by the reportgenerator 1306.

FIGS. 15A and 15B illustrate example data flows for the example STK 1300and for some of the databases. Numbers, other than element referencenumbers typically used throughout this specification, are for referencepurposes only and do not indicate a sequence for performing anyprocesses.

In an embodiment, store responses 1416, store analyzed results 1418, andstore reports 1420, include results from one or more prior informationsecurity assessments. In such an embodiment, analysis module 1304includes a second inference engine for comparing assessments, and reportgenerator 1306 includes a report generator for generating reports forassessment comparisons.

1. Optional Initialization Module

The optional initialization module 1310 can be implemented to perform avariety of functions and/or processes. For example, in an embodiment,the optional initialization module 1310 performs a Super User Function,which includes the following sub-functions:

specify if this is a new assessment;

authenticate “super user” with privilege to assign user names andprivileges;

determine which users have privileges to enter data in specified STKmodules (described below) for the current assessment; and

assign user names and access privileges to individuals.

In an embodiment, the optional initialization module 1310 performs aenterprise type identification process, which includes obtaining acompany name and industry type.

In an embodiment, the optional initialization module 1310 allows usersto start a new assessment, resume a previously begun assessment, orcompare a previously completed assessment.

In the example embodiment described, the optional initialization module1310 receives interactive user input and outputs an industry type andcompany identification information.

2. Interview Module

The interview module 1302 presents questions to users. In an embodiment,the interview module 1302 receives an industry type, selects industryspecific questions, and presents the industry appropriate questions tousers.

The interview module 1302 compares user answers to the database ofpossible responses 1404 and prompts the user to re-answer if an answeris not permissible. In an embodiment, the interview module 1302 checksanswers for dependencies to other questions.

3. Inference Engine

The inference engine 1304 identifies information security deficienciesbased at least on user responses (store responses 1420 in FIG. 14) andvulnerabilities 1406 (FIG. 14). In an embodiment, the inference engine1304 also considers one or more of the following:

third party vulnerabilities 2108;

third party testing/diagnostic application test results; and

user queries to a knowledge database (e.g, query an expert module 1902in FIG. 19), and/or responses to such user queries.

In an embodiment, the inference engine 1304 first identifiesvulnerabilities based on user responses to certain questions. Theinference engine 1304 then analyzes the vulnerabilities, in light of anyof a variety of relevant factors, which can include, without limitation,one or more of the user responses that were used to identify thevulnerabilities. Based on the analysis of any identifiedvulnerabilities, the inference engine 1304 identifies securitydeficiencies.

Information security deficiencies can include IT infrastructuredeficiencies and policy deficiencies. Policy deficiencies can be in theform of information security policy sections or statements.

In an embodiment, inference engine 1304 determines risks. Risks can bebased on one or more of, interview questions, associated user responses,industry type, vulnerabilities, and/or asset value. In an embodiment,the inference engine 1304 receives a list of questions, associated useranswers, and an industry type, and outputs a rank ordered list ofcritical information security risks, policy sections associated withspecified vulnerabilities, and policy sections associated with specifiedrisks.

The inference engine 1304 can be implemented to perform one or more ofthe following tasks:

interprets results of active and/or passive third partytesting/diagnostic software;

correlate answers with vulnerabilities;

identify deficiencies;

rank deficiencies in order of criticality; and

determine applicable sections of information security policy.

In an embodiment, inference engine 1304 is a logic based inferenceengine. In an example implementation, the logic is embodied in software,such as software compiled from C++, for example. Alternatively, thelogic is a specification language, or interpreted language.

In an embodiment, inference engine 1304 is an expert system (orknowledge based system) in which knowledge from human subject-matterexperts is encoded into a software program in such a way that the codedlogic of the software program provides a searchable repository of thissubject-matter knowledge. The expert system is encoded in such a way asto accept input and make inferences based on the implications of thatinput that a human subject-matter expert would normally be expected tomake but which were not specifically encoded in the expert system.

In an embodiment, inference engine 1304 is an artificial intelligence(AI) system, such that input data is subjected to analysis by theAI-based inference engine and the problem solving methods or analysis orother tasks for which the AI system is designed is modified by the AIsystem itself as a result of the output of previous processing cycles.

In an embodiment, the inference engine 1304 permits users to reviewresults of previously completed assessments, perform “what if” scenariosby varying the previously entered answers and inputs, and observe theresulting outputs. This can be useful, for example, in deciding how tochange a computing environment.

In an embodiment, the inference engine 1304 permits users to compareresults of a previous assessment with results of a current assessment.

Accordingly, the inference engine 1304 can be implemented to perform, orallow a user to select, one or more of the following functions:

choose a previously completed assessment to analyze;

choose a segment (e.g., portion or domain) of a selected a assessment toanalyze (user may choose to select one or more such segments forcomparison and analysis);

compare a selected assessment/segment(s) with a current assessment toidentify differences;

permit user to vary or change answers to questions of a selectedpreviously completed assessment/segment and observe the differences inthe outputs and reports;

display results of comparison/analysis to user on a display; and

save results of comparison/analysis to pass to report generator.

4. Report Generator

The report generator 1306 can be implemented to perform one or more ofthe following features:

determine applicable report type;

format report for viewing;

format report for printing;

format report for saving in STK database 1308.

Typically, the report generator 1306 receives questions posed to usersand associated user answers, a list of working aids accessed during aninterview, and analyzed results of user interviews.

Example processes that are typically performed by the report generator1306 are now described. Unless otherwise specified, these processes areoptional and combinable.

In a determine a report type function, the report generator 1306correlates questions and answers with one or more appropriate types ofreports, and selects a report template from a database of templates.Report types can include, without limitation, the following:

risk assessment of local computing environment;

deficiencies in local environment that require immediate attention;

deficiencies in local environment that require further analysis;

deficiencies that must be escalated for enterprise-wide analysis andresolution;

information security policy for local computing environment;

measure of enterprise conformance to the information security policy;

measure of overall security posture of the enterprise;

measure of the effectiveness of enterprise-wide security training andawareness programs; and

list of most serious information security problems facing theenterprise.

The report generator 1306 inserts appropriate information into reports,such as enterprise identification information. The report generator 1306also formats and inserts questions posed to users and user responsesinto the report.

Where optional working aids are utilized, the report generator 1306inserts any working aid material that was accessed during an interviewinto the report. More specifically, the report generator 1306 selectsappropriate templates for a working aids section of the report, andinserts selected working aids material into the report.

Where implemented, the report generator 1306 inserts results of anyqueries to the query and expert module 1902 (FIG. 19), into the report.

Where implemented, the report generator 1306 inserts results of anyexecutions of third party software into the appropriate report.

Where appropriate, the report generator 1306 inserts any analyses ofprior assessments into the report. More specifically, the reportgenerator 1306 selects a template for an appropriate report format andinserts prior assessment results into the report.

The report generator 1306 prints reports upon appropriate request andsaves reports in a report database for future reference.

5. Graphical User Interface

In an embodiment, the STK 1300 includes a graphical user interface (GUI)with a pull-down menu structure. In an example implementation, thepull-down menu includes the following tool bars. The example belowincludes options for multiple domains, referred to in this example assegments. The example below is for illustrative purposes only. Othertool bars, tool bar features, and GUIs are within the scope of thepresent invention.

Main Menu Bar A. File 1. New (slide across) Assessment Segment 2. Open(pop-up window (tree) listing Assessments and Segments) 3. Close 4. Save5. Delete Assessment Segment 6. Print Question Templates ReportTemplates 7. Exit B. Administer 1. Add New User User Name OrganizationJob Function (radio button) System Administrator Security AdministratorSecurity Officer Manager CIO Phone Number Email Address Privileges<assessment name> (pull-down) <segment name (radio buttons)> view(default) enter data delete segment Username: Password: ConfirmPassword: 2. Modify User 3. Delete User Username to delete: ConfirmUsername to delete: 4. List Users (radio buttons) <by assessment<assessment name> (pull down) <by segment> <segment name> (pull down)<all users> 5. Create New 6. Assign user privileges C. Compute Risk D.Help 1. Contents and Index

B. Multiple Domains and Roll-Up Features

In an embodiment, the present invention includes a roll-up module forassessing information security for an enterprise based on multipledomains.

FIG. 16 illustrates the STK 1300 with an optional roll-up module 1602.FIG. 18 illustrates an example multiple domain implementation. In thisexample, separate instances 1802 through 1804 of the STK 1300 areprovided for each domain within an enterprise. Each STK instance 1802through 1804 preferably provides a local domain report, 1806 and 1808.Each STK instance 1802 through 1804 also provides information to theroll-up module 1602, which analyzes the combined results and generatesan enterprise-wide report 1810.

In FIG. 17, the optional roll-up module 1602 is illustrated with anenterprise-wide inference engine 1702 and an enterprise-wide reportgenerator 1704. The enterprise-wide inference engine 1702 analyzesinformation from the multiple domains. In an alternative embodiment,this function is performed by inference engine 1304 in FIG. 13.

In an embodiment, the enterprise-wide inference engine 1702 combinesuser responses from multiple domains, looks for relationships among theresponses, identifies deficiencies across the enterprise, and presentsan aggregate description of the security posture of the enterprise.

In an alternative embodiment, the enterprise-wide inference engine 1702combines analysis results from the multiple domains, identifiesdeficiencies across the enterprise, and presents an aggregatedescription of the security posture of the enterprise.

In an alternative embodiment, the enterprise-wide inference engine 1702combines individual reports from multiple domains and presents anaggregate description of the security posture of the enterprise.

C. Query an Expert Module

FIG. 19 illustrates an optional query an expert module 1902, whichallows users to “query an expert.” In an embodiment, query an expertmodule 1902 provides insights and assistance in performing systems andsecurity administration functions through look-up tables. In morecomplex implementations, query an expert module 1902 includes aknowledge base of information security expertise and a moresophisticated query capability. Preferably, the knowledge base isupdated periodically to reflect newly identified vulnerabilities andinformation security practices.

Two example implementations of the optional query an expert module 1902are presented below. These example implementations are provided forillustrative purposes only. Based on the teachings herein, one skilledin the relevant art(s) will understand that other implementations arealso possible, which are within the scope of the present invention.

In a structured query implementation, the optional query an expertmodule 1902 permits users to ask structured queries. Upon receipt of aquery, the query an expert module 1902 determines a relevant area ofinformation security knowledge and presents a list of relatedinformation security knowledge to the user. The user can then select aspecific item within the displayed area of information securityknowledge.

In a natural language implementation, the optional query an expertmodule 1902 permits users to ask unstructured questions. Upon receipt ofa query, the query an expert module 1902 determines a relevant area ofinformation security knowledge and presents a list of relatedinformation security knowledge to the user. The user can then select aspecific item within the displayed area of information securityknowledge.

In an embodiment, the query an expert module 1902 correlates users'answers with related sections of the optional working aids database1412. The query an expert module 1902 then presents retrieved workingaids material to the user. This is useful, for example, to indicate tothe user why a topic of the interview is important.

D. Third Party Testing/Diagnostic Modules

FIG. 20 illustrates an optional third party testing/diagnostic plug-inmodule (“module”) 2000, which interfaces the STK with commercial thirdparty testing/diagnostic programs. Third party testing/diagnosticprograms include tools that conduct active network scans and/or passivenetwork monitoring.

Module 2000 includes any necessary interfacing features to allow the STK1300 to execute one or more selected third party testing/diagnosticprograms. Optionally, the module 2000 also includes necessaryinterfacing features to all the STK 1300 to receive results from theselected third party testing/diagnostic programs, so that the STK 1300can analyze the results in combination with user responses.

When implemented, module 2000 presents a list of available third partysoftware applications to the user and receives a user selection. Themodule 2000 then executes the selected application, presents the resultsto the user, and makes the results available to the inference engine1304 and/or the report generator 1306.

In an embodiment, based on answers obtained during the interviewprocess, module 2000 determines which portion(s) of the third partyapplication results to analyze. The module 2000 also determines thelevel of detail of the results of the third party application toanalyze. The module 2000 extracts relevant information from the resultsof the third party application and presents the results of the analysisto the user. The module 2000 also preferably saves the results in thedatabase 1308.

E. Third Party Application Modules

FIG. 21 illustrates database 1308 with an optional third partyapplication database 2102, which provides application specific featuresthat allow the STK 1300 to assess information security for one or moreparticular applications operating on the IT infrastructure of anenterprise.

In the example illustrated in FIG. 21, the optional third partyapplication database 2102 includes a third party specific questions2104, third party possible responses 2106, third party specificvulnerabilities 2108, optional third party specific working aids 2110,third party specific policy components 2112, and optional third partyspecific risks 2114.

User interview module 1302, inference engine 1304, and report generator1306, operate as previously described, with additional interviewing,assessing, and reporting functions provided by the optional third partyapplication database 2102.

F. Implementation in a Computer Program

In an embodiment, the invention is implemented in one or more computersystems capable of carrying out the functionality described herein.

FIG. 22 illustrates an example computer system 2200, including one ormore processors 2204. Processor 2204 is connected to a communication bus2202. Various software embodiments are described in terms of thisexample computer system 2200. After reading this description, it willbecome apparent to a person skilled in the relevant art how to implementthe invention using other computer systems and/or computerarchitectures.

Computer system 2200 also includes a main memory 2206, preferably randomaccess memory (RAM), and can also include a secondary memory 2208.Secondary memory 2208 can include, for example, a hard disk drive 2210and/or a removable storage drive 2212, representing a floppy disk drive,a magnetic tape drive, an optical disk drive, etc. Removable storagedrive 2212 reads from and/or writes to a removable storage unit 2214 ina well known manner. Removable storage unit 2214, represents a floppydisk, magnetic tape, optical disk, etc. which is read by and written toby removable storage drive 2212. Removable storage unit 2214 includes acomputer usable storage medium having stored therein computer softwareand/or data.

In alternative embodiments, secondary memory 2208 can include othersimilar means for allowing computer programs or other instructions to beloaded into computer system 2200. Such means can include, for example, aremovable storage unit 2222 and an interface 2220. Examples of such caninclude a program cartridge and cartridge interface (such as that foundin video game devices), a removable memory chip (such as an EPROM, orPROM) and associated socket, and other removable storage units 2222 andinterfaces 2220 which allow software and data to be transferred from theremovable storage unit 2222 to computer system 2200.

Computer system 2200 can also include a communications interface 2224.Communications interface 2224 allows software and data to be transferredbetween computer system 2200 and external devices. Examples ofcommunications interface 2224 include, but are not limited to a modem, anetwork interface (such as an Ethernet card), a communications port, aPCMCIA slot and card, etc. Software and data transferred viacommunications interface 2224 are in the form of signals 2226, which canbe electronic, electromagnetic, optical or other signals capable ofbeing received by communications interface 2224. These signals 2226 areprovided to communications interface 2224 via a signal path 2228. Signalpath 2228 carries signals 2226 and can be implemented using wire orcable, fiber optics, a phone line, a cellular phone link, an RF link andother communications channels.

In this document, the terms “computer program medium” and “computerusable medium” are used to generally refer to media such as removablestorage device 2212, a hard disk installed in hard disk drive 2210, andsignals 2226. These computer program products are means for providingsoftware to computer system 2200.

Computer programs (also called computer control logic) are stored inmain memory and/or secondary memory 2208. Computer programs can also bereceived via communications interface 2224. Such computer programs, whenexecuted, enable the computer system 2200 to perform the features of thepresent invention as discussed herein. In particular, the computerprograms, when executed, enable the processor 2204 to perform thefeatures of the present invention. Accordingly, such computer programsrepresent controllers of the computer system 2200.

In an embodiment where the invention is implemented using software, thesoftware can be stored in a computer program product and loaded intocomputer system 2200 using removable storage drive 2212, hard drive 2210or communications interface 2224. The control logic (software), whenexecuted by the processor 2204, causes the processor 2204 to perform thefunctions of the invention as described herein.

In another embodiment, the invention is implemented primarily inhardware using, for example, hardware components such as applicationspecific integrated circuits (ASICs). Implementation of the hardwarestate machine so as to perform the functions described herein will beapparent to persons skilled in the relevant art(s).

In yet another embodiment, the invention is implemented using acombination of both hardware and software.

IV. EXAMPLE IMPLEMENTATION

In an embodiment, the invention is implemented to perform the followinginitialization features:

establish an assessment category (government v. commercial, and anycompliance criteria (e.g., DITSCAP, NSA IAM)).

determine category of user (e.g., application administrator, networkadministrator, senior IT professional (e.g., CIO));

determine mode of use (standalone v. roll-up); and

determine mode of implementation (generic v. product specific).

In an embodiment, the invention is implemented to interview usersgenerically and/or application specifically (e.g., SAP, Oracle).

In an embodiment, the invention is implemented to interview users basedon their associated areas of expertise.

In an embodiment, the invention is implemented to assess domains and thecorresponding enterprise as a whole.

In an embodiment, the invention is implemented to allow users to queryan expert (generically and/or application specifically).

In an embodiment, the invention is implemented to allow users to executethird party applications, such as third party active and/or passivediagnostic/test applications.

In an embodiment, the invention is implemented with all of the abovefeatures. In alternative embodiments, the invention is implemented withfewer than all of the above features.

V. EXAMPLE QUESTIONS A. Example 1

Assessment Set-Up

1. What is the company's name? (input box)

2. What is the company's address? (input box)

Specific information about the target for the assessment must begathered at this point. The target for the assessment is part, or parts,of the company that will undergo the assessment. For example, the targetmay be a company's e-commerce business, a specific file server, allnetworks utilized by the finance organization, or the entire company.

3. What name will be used for the target of the assessment? (input box)

4. How does the target of the assessment derive its income? (pull downmenu)

Answer Options Help Text Banking Consulting Education GovernmentInsurance Medical Retail Technology Transportation Utilities

Within the target, there are one or more domain boundaries which defineswho owns, manages, or controls what the regard to its InformationTechnology (IT) resources. Domain boundaries may have been createdaround LAN segments, IP addresses, physical locations, or job functions.For small targets, there may be only one domain boundary, meaning all ITresources within that boundary are controlled by the sameadministrators, while larger targets may have several domain boundaries.

It is important for the Toolkit to know about, and differentiate among,domain boundaries, because each will likely have differentcharacteristics. An accurate risk assessment will depend on describingthe target of the assessment accurately.

5. How many divisions, defined by domain boundaries, exist within thetarget? (radio button)

one

more than one

If the answer to question 5 is “one,” then ask question 6:

6. What is the name of the domain boundary area?

Division Name (input box)

If the answer to question 5 is “more than one,” then ask question 7:

7. Name each domain boundary.

Division Name (input box) Add another Done (radio buttons)

Scope and Boundary

Identify and Value Assets

Network Characteristics Section

200. DATABASE

300. Email

400. Web

Assets

Enter information about the web servers within this domain boundary.(Input box for web server name, pull down menus for OS platform, OSversion and Function. See question 801 for an explanation of how thepull down menus for OS platform and OS version should work.)

Server Name

Server Type

Hardware Architecture

OS platform

OS version

Function

Answer Options - Server Type Answer Options - Version Help Text Apachex.x Netscape x.x Answer Options - Answer Options - Answer Options - OSOS platform HW arch Version Help Text Solaris Intel, Spare 2.4, 2.5.1,2.6, 2.7, 2.8 RedHat Linux Intel, Spare 5.2, 6.0, 6.1 Windows Intel 3.1,95, 98, NT HP-UX PA-RISC 9.x, 10.10, 10.20, 11.0 Answer Options -Function Help Text E-Commerce on Internet Host Internet web siteIntraoffice applications Interoffice applications

Is the hardware on which this web server runs owned/controlled/managedby the web administrator? (radio button)

Yes

No

If yes, then ask 2 questions about asset value:

What is the replacement cost of the asset?

Low

Medium

High

What is the impact on the company if the asset is disclosed, modified,destroyed or misused?

Low

Medium

High

Which of the following data items are assets of this web server? (radiobuttons)

Code which drives Web pages (html, Java, per, etc)

Multi-media contained on Web pages (graphics, audio, video, etc)

Customer information collected via Web pages

Customer orders collected via Web pages

IT configuration Does the web server run as root? (radio button)

Yes

No

Policies and Procedures

<john>

Threats

Did this web server experience a security breach within the six months?(radio buttons—Yes, No, Don't Know)

Did this web server experience a security breach within the last year?(radio buttons—Yes, No, Don't Know)

Vulnerabilities

Has a security configuration guide been consulted for the installationand testing of this web server? (radio buttons—Yes, No, Don't Know)

Are published vulnerabilities associated with this type of web servertracked and countermeasures implemented? (radio buttons—Yes, No, Don'tKnow)

Safeguards

500. File Server (NFS)

600. Network Information (DNS, NIS., NIS+)

700. Critical Infrastructure Components (routers, firewalls, modembanks., etc)

800. Desktops (Installation, OS Patches, User Access, Trust)

801. Enter all the operating systems which are used as clients on thenetwork. (pull down menus, as follows. If user chooses Solaris for “OSclient’, the version numbers in the pull down menu under “Version”automatically change to reflect the possible Solaris versions. Usershould have options at the bottom for “OK” to enter the next operatingsystem, “Done” to indicate all operating systems have been entered,“Back” to look at the previous operating system entered, and Next” tomove forward. There should be a summary presented of all the informationchosen for this question after the user hits “Done”. Require user toenter “Done” on the summary screen to move ahead to next question.)

OS client Version Internet Connect Num Clients % patched Lag time

Answer Options - OS client Answer Options - Version Help Text Solaris2.4, 2.5.1, 2.6, 2.7, 2.8 RedHat Linux 5.2, 6.0, 6.1 Windows 3.1, 95,98, NT HP-UX 9.x, 10.10, 10.20, 11.0 Answer Options - InternetConnectivity Help Text Yes No Don't Know HP-UX Answer Options - NumClients Help Text 1-5 clients 6-10 clients 11-20 clients 21-50 clients51-100 clients More than 100 clients Answer Options - % patched HelpText 0% 25% 50% 100% Don't Know Answer Options - lag time Help TextHours Days Weeks Months Years

900. Connectivity (Intrasite, Intersite)

Policy and Procedure Section

1000. Access management

1001. When a user logs on, does the system display a banner that statesemployee privacy rights?

1002. Does the organization have guidelines for the composition ofpasswords?

1003. Does the organization have guidelines for the frequency ofchanging passwords?

1004. Can more than one employee share a user name and password?

1005. Are contractors, temporary employees, and vendors issued passwordsthat expire after a fixed duration?

1006. Does someone conduct audits for inactive accounts?

1007. Has the organization had a security incident within the past yearthat has resulted in lost or corrupted information or degradation of theperformance of the information technology?

2000. Employment Begins/Terminates

2001. Does the organization have an Information Security Policy?

2002. Does each employee receive a copy of the organization'sInformation Security Policy?

2003. Does each employee sign an agreement agreeing to comply with theorganization's Information Security Policy?

2004. Who determines an employee's access privileges on the informationsystem? [pull down menu with the following selections: “employee”,manager/supervisor”, “system administration”, “don't know”]

2005. If an employee leaves the organization, does someone deactivatethat person's accounts?

2006. Does the organization have a documented policy that explains therequirements for returning all organization property when employmentterminates?

3000. Privacy

3001. Is each employee required to sign an agreement acknowledging theirunderstanding of their privacy rights while using the organization'sinformation systems?

3002. Does the organization have a documented policy concerning thestorage, use and access of personal information in the workplace?

3003. Does each employee sign a statement agreeing to unannounced auditsof their use of the organization's information system resources?

4000. ACCEPTABLE USE OF CORPORATE INFORMATION SYSTEM ASSETS

4001. Are all users required to sign a statement that describesacceptable use of organization information system resources?

4002. Are users explicitly prohibited from using information resourcesto send, view, access or store child pornography?

4003. Does the organization have a policy on using corporate computersfor personal use?

4004. Do employees use corporate computers to access sites on theInternet?

4005. Are users told of the possible consequences of unacceptable use ofcorporate information resources?

4006. Are users told how to report improper use of corporate informationresources?

5000. Virus Prevention, Detection, Response, Training

5000. Does the organization provide training to each employee in theprevention and detection of computer viruses?

5001 Does the organization have documented policies for responding tocomputer viruses?

5002 Does the organization train each employee in the proper response

B. Example 2

Design

Network Characteristics

General Requirements

The tool will present a log-in screen. For now we'll assume that anadministrator account was established during installation.

All answers will be tagged with the userid entered at the login screen.

100. General Questions Section

101. What is the company's name? (input box)

102. What is the company's address? (input box)

[103. What type of business is the company in? (pull down menu)

Answer Options Help Text Banking Consulting Education GovernmentInsurance Medical Retail Technology Transportation Utilities

104. How is the network administered? (pull down menu)

Answer Options Help Text Distributed We have several differentadministrators, each adminis- tration with sole control of, andresponsibility for, the administration of a certain aspect of thenetwork Centralized We have one office which controls and administrationadministers the entire network. Combination There are localadministrators with certain responsibilities, and a central officeresponsible for other areas of administration.

If the answer to question 104 is “Distributed Administration,” then askquestion 106:

106. How are the areas of distributed administration responsibilitydefined?

(pull down menu)

Answer Options Help Text LANs IP address ranges Router boundaries Accessto file servers

If the answer to question 106 is “LANs,” then ask question 107:

107. What are the LAN domain names? (Input boxes—there will be severalanswers.)

If the answer to question 106 is “IP address ranges,” then ask question108:

108. What are the IP address ranges? (Input boxes—there will be severalanswers.) If the answer to question 106 is “Router boundaries,” then askquestion 109:

109. What are the Router addresses? (Input boxes—there will be severalanswers.) If the answer to question 106 is “Access to file servers,”then ask question 110:

110. What are the file server names? (Input boxes—there will be severalanswers.)

Note: The answers to these questions will be used as the way that theanalysis/roll up can be done—by tagging all the questions asked of LAN xadministrator with the answers to this question)

111. What name should be given to this risk analysis? (input box)

200. Database

300. Email

400. Web

401. Enter information about all the web servers. (Input box for webserver name, pull down menus for OS platform, OS version and Function.See question 801 for an explanation of how the pull down menus for OSplatform and OS version should work.)

Server Name Server Type OS platform OS version Function Answer Options -Server Type Answer Options - Version Help Text Apache x.x Netscape x.xAnswer Options - OS Answer Options - OS platform Version Help TextSolaris 2.4, 2.5.1, 2.6, 2.7, 2.8 RedHat Linux 5.2, 6.0, 6.1 Windows3.1, 95, 98, NT HP-UX 9.x, 10.10, 10.20, 11.0 Answer Options - FunctionHelp Text E-Commerce on Internet Host Internet web site Intraofficeapplications Interoffice applications

402. Has a security configuration guide been consulted for installingand testing each web server? (pull down menu—Yes, No, Don't Know)

403. Which web servers have experienced a security breach within the sixmonths? (pull down menu with server names from 401, plus “None” and“Don't Know”.)

404. Which web servers have experienced a security breach within thelast year? (pull down menu with server names from 401, plus “Non” and“Don't Know”.)

500. File Server (NFS)

600. Network Information (DNS, NIS, NIS+)

700. Critical Infrastructure Components (routers, firewalls, modembanks, etc)

800. Desktops (installation, OSpatches, user access, trust)

801. Enter all the operating systems which are used as clients on thenetwork. (pull down menus, as follows. If user chooses Solaris for “OSclient”, the version numbers in the pull down menu under “Version”automatically change to reflect the possible Solaris versions. Usershould have options at the bottom for “OK” to enter the next operatingsystem, “Done” to indicate all operating systems have been entered,“Back” to look at the previous operating system entered, and “Next” tomove forward. There should be a summary presented of all the informationchosen for this question after the user hits “Done”. Require user toenter “Done” on the summary screen to move ahead to next question.)

OS client Version Internet Connection Num Clients % patched Lag time

Answer Options - OS client Answer Options - Version Help Text Solaris2.4, 2.5.1, 2.6, 2.7, 2.8 RedHat Linux 5.2, 6.0, 6.1 Windows 3.1, 95,98, NT HP-UX 9.x, 10.10, 10.20, 11.0 Answer Options - InternetConnectivity Help Text Yes No Don't Know HP-UX Answer Options - NumClients Help Text 1-5 clients 6-10 clients 11-20 clients 21-50 clients51-100 clients More than 100 clients Answer Options - % patched HelpText 0% 25% 50% 100% Don't Know Answer Options - lag time Help TextHours Days Weeks Months Years

900. Connectivity (intrasite, intersite)

Policy and Procedures

1000. Access management

1001. When a user logs on, does the system display a banner that statesemployee privacy rights?

1002. Does the organization have guidelines for the composition ofpasswords?

1003. Does the organization have guidelines for the frequency ofchanging passwords?

1004. Can more than one employee share a user name and password?

1005. Are contractors, temporary employees, and vendors issued passwordsthat expire after a fixed duration?

1006. Does someone conduct audits for inactive accounts?

1007. Has the organization had a security incident within the past yearthat has resulted in lost or corrupted information or degradation of theperformance of the information technology?

2000. Employment begins/terminates

2001. Does the organization have an Information Security Policy?

2002. Does each employee receive a copy of the organization'sInformation Security Policy?

2003. Does each employee sign an agreement to comply with theorganization's Information Security Policy?

2004. Who determines an employee's access privileges on the informationsystem? [pull down menu with the following selections: “employee”,“manager/supervisor”, “system administration”, “don't know”]

2005. If an employee leaves the organization, does someone deactivatethat person's accounts?

2006. Does the organization have a documented policy that explains therequirements for returning all organization property when employmentterminates?

3000. Privacy

3001. Is each employee required to sign an agreement acknowledging theirunderstanding of their privacy rights while using the organization'sinformation systems?

3002. Does the organization have documented policy concerning thestorage, use and access of personal information in the workplace?

3003. Does each employee sign a statement agreeing to unannounced auditsof their use of the organization's information system resources?

4000. Acceptable use of corporate information system assets

4001. Are all users required to sign a statement that describesacceptable use of organization information system resources?

4002. Are users explicitly prohibited from using information resourcesto send, view, access or store child pornography?

4003. Does the organization have a policy on using corporate computersfor personal use?

4004. Do employees use corporate computers to access sites on theinternet?

4005. Are users told of the possible consequences of unacceptable use ofcorporate information resources?

4006. Are users told how to report improper use of corporate informationresources?

5000. Virus prevention, detection, response, training

5001. Does the organization provide training to each employee in theprevention and detection of computer viruses?

5002. Does the organization have documented policies for responding tocomputer viruses?

5003. Does the organization train each employee in the proper responseto virus incidents?

VI. CONCLUSION

The present invention has been described above with the aid offunctional building blocks illustrating the performance of specifiedfunctions and relationships thereof. The boundaries of these functionalbuilding blocks have been arbitrarily defined herein for the convenienceof the description. Alternate boundaries can be defined so long as thespecified functions and relationships thereof are appropriatelyperformed. Any such alternate boundaries are thus within the scope andspirit of the claimed invention. One skilled in the art will recognizethat these functional building blocks can be implemented by discretecomponents, application specific integrated circuits, processorsexecuting appropriate software and the like or any combination thereof.

While various embodiments of the present invention have been describedabove, it should be understood that they have been presented by way ofexample only, and not limitation. Thus, the breadth and scope of thepresent invention should not be limited by any of the above-describedexemplary embodiments, but should be defined only in accordance with thefollowing claims and their equivalents.

1. A computer-implemented method, comprising: selecting informationhandling questions from a database of information handling questionsbased on one or more of an entity type and user area of expertise,wherein the information handling questions relate to one or more ofinformation technology (IT) infrastructure and information handlingpolicy; presenting the selected questions to one or more users;receiving user responses to the selected questions; receivinginformation collected from within the IT infrastructure by a computerprogram executing within the IT infrastructure; evaluating the userresponses in combination with the information collected from within theIT infrastructure; and assessing information security based on resultsof the evaluating.
 2. The method of claim 1, wherein the informationcollected from within the IT infrastructure includes one or more ofactive network scanning information and passive network monitoringinformation.
 3. The method of claim 1, wherein the information collectedfrom within the IT infrastructure includes one or more of testinformation and diagnostic information.
 4. The method of claim 1,wherein the selecting includes: selecting at least one of the questionsbased on the information collected from within the IT infrastructure. 5.The method of claim 1, wherein the evaluating includes: identifying avulnerability based on a combination of the user responses and theinformation collected from within the IT infrastructure; and evaluatingthe vulnerability based on one or more of the user responses and theinformation collected from within the IT infrastructure.
 6. The methodof claim 1, wherein the evaluating includes: identifying a vulnerabilitybased on one or more of the user responses and the information collectedfrom within the IT infrastructure; and evaluating the vulnerabilitybased on a combination of the user responses and the informationcollected from within the IT infrastructure.
 7. The method of claim 1,wherein the evaluating includes: evaluating the results of the computerprogram executed within the IT infrastructure in combination with theuser responses, and independent of the user responses.
 8. A system,comprising: a database of information handling questions, wherein thequestions relate to one or more of information technology (IT)infrastructure and information handling policy; a user-interview systemto select information handling questions from the database based on oneor more of an entity type and an area of user expertise, present theselected questions to one or more users, and receive user responses tothe selected questions; an evaluation system to receive informationcollected from within the IT infrastructure by a computer programexecuting within the IT infrastructure, evaluate the user responses incombination with the information collected from within the ITinfrastructure, and assess information security based on results of theevaluating.
 9. The system of claim 8, wherein the information collectedfrom within the IT infrastructure includes one or more of active networkscanning information and passive network monitoring information.
 10. Thesystem of claim 8, wherein the information collected from within the ITinfrastructure includes one or more of test information and diagnosticinformation.
 11. The system of claim 8, wherein the user interviewsystem is implemented to: select at least one of the questions based onthe information collected from within the IT infrastructure.
 12. Thesystem of claim 8, wherein the evaluation system is implemented to:identify a vulnerability based on a combination of the user responsesand the information collected from within the IT infrastructure; andevaluate the vulnerability based on one or more of the user responsesand the information collected from within the IT infrastructure.
 13. Thesystem of claim 8, wherein the evaluation system is implemented to:identify a vulnerability based on one or more of the user responses andthe information collected from within the IT infrastructure; andevaluate the vulnerability based on a combination of the user responsesand the information collected from within the IT infrastructure.
 14. Thesystem of claim 8, wherein the evaluation system is implemented to:evaluate the results of the computer program executed within the ITinfrastructure in combination with the user responses, and independentof the user responses.
 15. A non-transitory computer readable mediumencoded with a computer program, including instructions to cause aprocessor to: select information handling questions from a database ofinformation handling questions based on one or more of an entity typeand user area of expertise, wherein the information handling questionsrelate to one or more of information technology (IT) infrastructure andinformation handling policy; present the selected questions to one ormore users; receive user responses to the selected questions; receiveinformation collected from within the IT infrastructure by a computerprogram executing within the IT infrastructure; evaluate the userresponses in combination with the information collected from within theIT infrastructure; and assess information security based on results ofthe evaluating.
 16. The computer readable medium of claim 15, whereinthe information collected from within the IT infrastructure includes oneor more of active network scanning information and passive networkmonitoring information.
 17. The computer readable medium of claim 15,wherein the information collected from within the IT infrastructureincludes one or more of test information and diagnostic information. 18.The computer readable medium of claim 15, wherein the instructions toselect questions include instructions to cause the processor to: selectat least one of the questions based on the information collected fromwithin the IT infrastructure.
 19. The computer readable medium of claim15, the instructions to evaluate include instructions to cause theprocessor to: identify a vulnerability based on a combination of theuser responses and the information collected from within the ITinfrastructure; and evaluate the vulnerability based on one or more ofthe user responses and the information collected from within the ITinfrastructure.
 20. The computer readable medium of claim 15, theinstructions to evaluate include instructions to cause the processor to:identify a vulnerability based on one or more of the user responses andthe information collected from within the IT infrastructure; andevaluate the vulnerability based on a combination of the user responsesand the information collected from within the IT infrastructure.